Safer Internet Day and how Two Factor Authentication Can Make It Safer

February 07, 2012   Adam Quart   No comments
safer internet day

Today, February 7th, 2012 is officially Safer Internet Day (SID). Safer Internet Day is a global campaign that promotes a safer and healthier internet for everyone to use. It is organized by Insafe and was co-founded by the European Union and encourages responsible use of the internet, online technologies and online services. Safer Internet Day spreads across Europe, Asia, Latina America, Australia, and the United States. As more and more people gain access to the internet and more generations of people are connecting online, internet security concerns are on the rise. More elderly people than ever are accessing the internet, joining social media sites, and engaging in online communities. Studies show that almost half of all under 12 year old kids are using facebook.com and other social media sites. With this broad user base and growing number of online users, online security measures need to be strengthened to keep users and their personal information safe. Most internet sites and internet logins for social media sites use strong passwords which are a combination of a login and static password. These static logins and passwords have long been considered safe, but as technology and hackers advance, online security needs to change and advance as well. Two factor authentication is a great way to increase online security and protect users.

Two factor authentication can be incorporated in any online login session and can be relatively cheap to implement. Two factor authentication is a way to authenticate based on two or more of the three types of factors to identify someone. The first factor would be something the user knows, the second factor would be something the user has, and the third factor being something the user is. Combining someone’s login, or something they know, and combining something that someone has, such as a mobile phone with a onetime password sent to it, is a very effective form and one of the most cost efficient forms of two factor authentication available today. By incorporating a device such as a mobile phone, which most users already have, there is no need for additional hardware to deploy and extra hardware for users to carry around. Two factor authentication can help users protect their personal information by helping to thwart unauthorized users from accessing their accounts.

Using two factor authentication with a login and one time password sent to a mobile device is effective because there are 2 layers of security present. The first layer would be the login and password and the second layer would be the one time password sent to the mobile device to authenticate the user. Even if an unauthorized user were to access someone’s login and password, they wouldn’t be able to retrieve the password that is sent to the mobile device.

Microsoft and AARP conducted a study that found that 83 percent of teens, young adults, parents and older adults are going online to help with family communication. With these generations of users using the internet to connect and communicate with each other, higher security needs to be adapted and used so that these users are protected. Companies such as Microsoft and Google are launching security centers online to provide assistance and guidance for users to navigate the internet more safely, but there needs to be layered security such as two factor authentication to really ensure the safety of users online. Security guides and tips are useful, but what is really protecting users from unauthorized users from trying to access their accounts? Hacking, malware, And phishing tactics have all evolved as the internet landscape has changed, but security has remained stagnant with more users going online and needing online security more than ever.

The focus on Safer Internet Day shouldn’t just be on giving guidance and tips on how to navigate the online world more safely, but should be on how organizations can incorporate online security such as two factor authentication to protect their users and how users can use two factor authentication to protect themselves from intruders trying to access their accounts. More emphasis needs to be on training and guiding users to using better security measures online to really make it a safer internet day and many days ahead for all users.

Read More

Zappos.com Hacked: How Data Breaches Affect Us

January 16, 2012   Adam Quart   No comments
zappos-data-breach

The latest big ecommerce site to be victim of a cyber attack was Zappos.com by a hacker who accessed a part of the company’s internet network through one of its servers in Kentucky, CEO Tony Hsieh said in an email to employees January 15, 2012. The data breach compromised customer account information such as billing addresses, names, email addresses, phone numbers, passwords in encrypted form, and the last four digits of credit card numbers. CEO Tony Hsieh said the security problem did not affect “critical credit card and other payment data” and that they were “cooperating with law enforcement to undergo an exhaustive investigation.”

Zappos.com was acquired by Amazon.com in July, 2009 for $1.2 billion and operates as an independent unit of Amazon.com. Amazon.com is known for having security measures, such as two factor authentication, in place to protect its customer’s personal data. The company will be notifying 24 million customers to change their passwords as a protective measure and to also reset their passwords anywhere else where their passwords may be the same. A menu has been added to Zappos.com pages to “create a new password” to encourage customers to change their passwords as soon as possible. The company is known for their stellar customer service and due to the high volume of customer calls, they will be switching their phones off and direct customers to contact them via email for assistance.

Even though security measures such as stronger passwords can be in place to protect customers, ecommerce companies like Zappos.com can be attacked by hackers and data can still be compromised. There’s not enough information that is released on the attack yet, but customers know that they need to change their passwords to protect themselves. Zappos.com, on the other hand, knows now that they need to have better security measures in place to protect their servers and to better detect threats against hackers in the future.

The scariest part of the data breach is that customer’s passwords in encrypted form were stolen which can be cracked by programming software that can encode it. This would allow hackers access to their logins across other sites if they use the same email and password logins. Zappos.com customers that have been breached should be careful to use different passwords on different ecommerce sites to reduce the chances of their information being compromised since their account information so that if one site gets attacked, their information won’t be able to be used on other sites. Users that utilize stronger passwords using a combination of letters, numbers and symbols reduce the chance of hackers “guessing” their passwords. Unfortunately, Zappos.com servers were hacked which users cannot control, but using stronger passwords across different sites that their personal information is stored on decreases the chances of their passwords being hacked or stolen.

Some users who have Gmail accounts were also compromised recently. Users were notified that suspicious activity occurred on their accounts and were advised to change their passwords. Some users were compromised by hackers in other countries such as India, Germany and Russia for example. Gmail users that utilize stronger passwords with a combination of letters, numbers and symbols will be safer than users that utilize only letters and numbers. With Zappos.com accounts and Gmail accounts being compromised recently, users are reminded that stronger passwords should be used on any accounts that store their information online and also to use separate passwords across different accounts to protect their sensitive information.

Gmail offers two factor authentication options if you enable them, but this feature is not activated by default. Amazon offers multi factor authentication for their web services, but Zappos.com is run independently and does not yet incorporate multi factor authentication for their users. The added layer of security from the two-factor authentication process allows for a safer user experience online in situations where sensitive information is stored and shared. It makes one wonder if a two-factor authentication solution could have prevented the Zappos.com Data Breach not only with their users, but also in protecting access to their servers. For instance, if a Zappos.com employee was alerted using their mobile phone that a server was being accessed, they could receive a one-time password and use their login credentials to authorize access or reject access which could have prevented the attack.

Strong passwords along with better password policies can make for stronger security. Strong two-factor authentication can enhance security and potentially keep companies like Zappos.com alert and on guard against attacks, for example, if servers are being accessed by unauthorized individuals.

Read More

Amazon Protects Against Fraud with Multi-Factor Authentication

January 10, 2012   Adam Quart   No comments
amazon-multi-factor-authentication

Amazon.com has not only become the largest online bookstore, but is also a multinational ecommerce company. The company has been spreading its reach like branches of a river while supplying goods to countries across the world. Amazon.com started off by profiting from being an online book brokering system and later offering many products. Amazon.com grew its business through online associates in the form of users.

When scaling a company by having users contributing to both ends of business, buying and selling, fraudulent and malicious activities become inevitable. Amazon did not become one of the largest ecommerce websites in the world by lacking in security though. In 2009, Amazon started to offer multi-factor authentication to protect its users against fraud. They now offer free identification through any mobile device or computer which can run a Time-Based One-Time Password application. They also offer paid multi-factor authentication through a third party proprietary authentication token from Gemalto which is supposed to offer higher security.

Free Amazon Multi-Factor Authentication

If you are able to run a time-based one-time password application on your smart phone, tablet or computer you can utilize the free AWS MFA process. Using this method, when you log into your account with your traditional username and password, a token will be delivered to the application. The token is a one-time password that is generated from an out-of-band network separate from the user’s login network which reduces the chances of man in the middle attacks and makes the authentication process more secure.

Gemalto Multi-Factor Authentication

To increase security even further, Amazon’s users may pay for service through Gemalto which offers a keyfob device for authentication. Amazon states Gemalto’s third part proprietary token device offers better security than the free process. After the RSA hard token breaches, many people are skeptical about the proprietary OTP token’s security.

Secure Cloud Computing

Amazon, like many companies, is run on a cloud of servers which allows remote access of data to many users at once. Amazon.com and its cloud network offer financial information to its publishers so they can track their earnings. A publisher’s user account could display earnings and options for payment to the user. This is one of the reasons why the need for authentication security using a multi-factor process was necessary.

One of the most secure forms of protection for any company storing data on the cloud is by using an out-of-band, multi-factor authentication process which Amazon has implemented. This is especially true for ecommerce websites which may be storing financial data and personal information belonging to thousands of users. This added layer of security could be the very reason why the multinational electronic commerce corporation has not been present on recent data breach lists.

2011 was the year of data breaches and more companies are becoming like Amazon and are starting to utilize cloud computing. Will these companies follow suit to provide better protection and privacy to their users that are accessing information on the cloud or will there be a bigger data breach list containing more corporations in 2012? Companies utilizing the cloud to store and access information need to add additional layers of security to protect the information and the best way for them to do that is to utilize multi factor authentication.

Read More